Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Assigning roles to portal users

You can assign specific roles to the Recovery Manager Portal users. A role assigned to a user defines the Recovery Manager Portal user interface elements and functionality available to that user. You can only assign portal roles by using the account under which the Recovery Manager Portal was installed. By default, this account is granted all portal roles.

To assign portal roles, you can use local security groups existing on the computer where the Recovery Manager Portal is installed. By adding or removing members in these groups you can define the scope of authority for a portal user and the operations that the user can perform in the Recovery Manager Portal.

The local security groups are as follows:

  • Recovery Manager Portal - Configuration Admins. Members in this group have permissions to modify the Recovery Manager Portal configuration and delegate restore permissions to other Recovery Manager Portal users.
  • Recovery Manager Portal - Recovery Operators. Members in this group have permissions to restore or undelete Active Directory objects by using the Recovery Manager Portal.
  • Recovery Manager Portal - Undelete Operators. Members in this group have permissions to undelete Active Directory objects by using the Recovery Manager Portal.
  • Recovery Manager Portal - Monitoring Operators. Members in this group can view the health summary and backup creation history for the Recovery Manager for Active Directory instances with which the portal is configured to work.

Delegating restore or undelete permissions

You can delegate permissions to restore or undelete objects in specific Active Directory containers to the users or groups of your choice. These users or groups must reside in the Active Directory forest where the Recovery Manager Portal is installed and be assigned an appropriate portal role. For more information about portal roles, see Assigning roles to portal users.

To delegate restore permissions, you also must have a specific role in the Recovery Manager Portal. For details, see Assigning roles to portal users.

To delegate permissions

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Active Directory Domains.
  4. Click the name of the domain that includes the containers on which you want to delegate permissions.
  5. Click Configure a list of delegates, and then expand the domain entry.
  6. Click the container on which you want to delegate permissions.
  7. Click Add, to specify delegates to the Users or groups list.
  8. In the dialog that opens, you can find and add users and groups from any trusted domain in the Active Directory forest.
    • If the account that you are adding is from the same domain:
      1. Enter the name and click the magnifying glass to search.
      2. Click Add next to the account you want to add.
    • If the account that you are adding is from a different domain:

      1. Click the domain name link next to 'Search in'.
      2. Select the domain where the account resides.
      3. Enter the name and click the magnifying glass to search.
      4. Click Add next to the account you want to add.

  9. Below the Users and groups list, select the operations you want to grant or deny to the added users or groups.
  10. When you are finished, click OK. If necessary, repeat steps 6-9 for other containers in the domain.

Configuring e-mail notification

You can configure the Recovery Manager Portal to send notification e-mails to specific recipients when the health state of any Recovery Manager for Active Directory instance with which the Recovery Manager Portal is configured to work changes from healthy to unhealthy or vice versa.

To configure e-mail notification

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings, and then click E-mail notification.
  4. Use the following options in the dialog box that opens:
    • Outgoing SMTP server. Type the fully qualified domain name (FQDN) or IP address of the SMTP server you want to use for sending notification e-mails.
    • SMTP port. Type the number of the port on which you want to connect to the server.
    • Sender e-mail address. Type the e-mail address you want to display in the From field of all notification e-mail messages.
    • Notification recipients. Here you can specify a list of notification recipients. To specify multiple values, use semicolon as the separator.
  5. User name and password. Type the user name and password of the user account you want to use to send notification e-mails from the SMTP server. The account must have the appropriate permissions.
  1. When you are finished, click OK to apply your settings.

How Recovery Manager Portal recovers data

Please consider the following behavior of the Recovery Manager Portal:

  • By default, the permissions to restore or undelete objects in an Active Directory domain are only granted to the members of the Domain Admins group in that domain. However, you can delegate the restore or undelete permissions to the portal users you want. For more information, see Delegating restore or undelete permissions.
  • By default, the Recovery Manager Portal uses the agent-based method for all search and restore operations, regardless of the settings configured on the Recovery Manager for Active Directory instance used to perform these operations. For more information about the agent-based method, see Agent-based method in Using agentless or agent-based method. You can change the portal settings to use the agentless method.

To use the agentless method

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings, and then select the Use agentless method for all search and restore operations check box.

To undelete an Active Directory object, the Recovery Manager Portal uses Microsoft’s Active Directory Recycle Bin feature if it is enabled in the target forest. If this feature is unavailable, the Recovery Manager Portal restores the object from the latest available unpacked backup that includes the object before its deletion.

Related Documents